001
014
015 package com.liferay.portal.security.pacl.checker;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.util.ServerDetector;
020 import com.liferay.portal.security.pacl.PACLClassUtil;
021
022 import java.security.Permission;
023
024 import sun.reflect.Reflection;
025
026
029 public class SecurityChecker extends BaseChecker {
030
031 public void afterPropertiesSet() {
032 }
033
034 public void checkPermission(Permission permission) {
035 String name = permission.getName();
036
037 if (name.equals(SECURITY_PERMISSION_GET_POLICY)) {
038 if (!hasGetPolicy()) {
039 throwSecurityException(_log, "Attempted to get the policy");
040 }
041 }
042 else if (name.equals(SECURITY_PERMISSION_SET_POLICY)) {
043 if (!hasSetPolicy()) {
044 throwSecurityException(_log, "Attempted to set the policy");
045 }
046 }
047 else {
048 if (_log.isDebugEnabled()) {
049 Thread.dumpStack();
050 }
051
052 throwSecurityException(
053 _log,
054 "Attempted to " + permission.getName() + " on " +
055 permission.getActions());
056 }
057 }
058
059 protected boolean hasGetPolicy() {
060 Class<?> callerClass8 = Reflection.getCallerClass(8);
061
062 if (isGlassfishJ2EEInstanceListener(
063 callerClass8.getEnclosingClass()) &&
064 CheckerUtil.isAccessControllerDoPrivileged(9)) {
065
066 logGetPolicy(callerClass8, 8);
067
068 return true;
069 }
070
071 if (isWebSphereWASJSPExtensionServletWrapper(callerClass8)) {
072 logGetPolicy(callerClass8, 8);
073
074 return true;
075 }
076
077 return false;
078 }
079
080 protected boolean hasSetPolicy() {
081 Class<?> callerClass6 = Reflection.getCallerClass(6);
082
083 if (isGlassfishPolicyContextHandlerImpl(callerClass6)) {
084 logSetPolicy(callerClass6, 6);
085
086 return true;
087 }
088
089 Class<?> callerClass7 = Reflection.getCallerClass(7);
090
091 if (isGeronimoDispatchListener(callerClass7)) {
092 logSetPolicy(callerClass7, 7);
093
094 return true;
095 }
096
097 return false;
098 }
099
100 protected boolean isGeronimoDispatchListener(Class<?> clazz) {
101 if (!ServerDetector.isGeronimo()) {
102 return false;
103 }
104
105 if (clazz == null) {
106 return false;
107 }
108
109 String className = clazz.getName();
110
111 if (!className.equals(_CLASS_NAME_DISPATCH_LISTENER)) {
112 return false;
113 }
114
115 String classLocation = PACLClassUtil.getClassLocation(clazz);
116
117 return classLocation.contains(
118 "/repository/org/apache/geronimo/modules/geronimo-tomcat6/");
119 }
120
121 protected boolean isGlassfishJ2EEInstanceListener(Class<?> clazz) {
122 if (!ServerDetector.isGlassfish()) {
123 return false;
124 }
125
126 if (clazz == null) {
127 return false;
128 }
129
130 String className = clazz.getName();
131
132 if (!className.equals(_CLASS_NAME_J2EE_INSTANCE_LISTENER)) {
133 return false;
134 }
135
136 String classLocation = PACLClassUtil.getClassLocation(clazz);
137
138 return classLocation.startsWith("bundle:
139 }
140
141 protected boolean isGlassfishPolicyContextHandlerImpl(Class<?> clazz) {
142 if (!ServerDetector.isGlassfish()) {
143 return false;
144 }
145
146 if (clazz == null) {
147 return false;
148 }
149
150 String className = clazz.getName();
151
152 if (!className.equals(_CLASS_NAME_POLICY_CONTEXT_HANDLER_IMPL)) {
153 return false;
154 }
155
156 String classLocation = PACLClassUtil.getClassLocation(clazz);
157
158 return classLocation.startsWith("bundle:
159 }
160
161 protected boolean isWebSphereWASJSPExtensionServletWrapper(Class<?> clazz) {
162 if (!ServerDetector.isWebSphere()) {
163 return false;
164 }
165
166 String className = clazz.getName();
167
168 if (!className.equals(_CLASS_NAME_WAS_JSP_EXTENSION_SERVLET_WRAPPER)) {
169 return false;
170 }
171
172 String classLocation = PACLClassUtil.getClassLocation(clazz);
173
174 return classLocation.startsWith("bundleresource:
175 }
176
177 protected void logGetPolicy(Class<?> callerClass, int frame) {
178 if (_log.isInfoEnabled()) {
179 _log.info(
180 "Allowing frame " + frame + " with caller " + callerClass +
181 " to get the policy");
182 }
183 }
184
185 protected void logSetPolicy(Class<?> callerClass, int frame) {
186 if (_log.isInfoEnabled()) {
187 _log.info(
188 "Allowing frame " + frame + " with caller " + callerClass +
189 " to set the policy");
190 }
191 }
192
193 private static final String _CLASS_NAME_DISPATCH_LISTENER =
194 "org.apache.geronimo.tomcat.listener.DispatchListener";
195
196 private static final String _CLASS_NAME_J2EE_INSTANCE_LISTENER =
197 "com.sun.web.server.J2EEInstanceListener";
198
199 private static final String _CLASS_NAME_POLICY_CONTEXT_HANDLER_IMPL =
200 "com.sun.enterprise.security.authorize.PolicyContextHandlerImpl";
201
202 private static final String _CLASS_NAME_WAS_JSP_EXTENSION_SERVLET_WRAPPER =
203 "com.ibm.ws.jsp.webcontainerext.ws.WASJSPExtensionServletWrapper";
204
205 private static Log _log = LogFactoryUtil.getLog(SecurityChecker.class);
206
207 }